首页
编程语言
数据库
网络开发
Algorithm算法
移动开发
系统相关
金融统计
人工智能
其他
首页
>
> 详细
辅导 program、Python编程设计讲解
Lab 3 : Network security using SNORT
Introduction
This Lab is a specialized virtual environment designed for the purpose of cybersecurity
training and education. In today’s digital landscape, the importance of understanding and
defending against cyber threats is paramount. This lab provides a practical, hands-on
approach to learning various aspects of cybersecurity, including but not limited to
penetration testing, network security, intrusion detection, and response strategies.
Purpose
The primary purpose of this Lab is to facilitate a comprehensive understanding and
application of cybersecurity concepts and practices.
This lab environment allows users to:
1. Provide a hands-on approach to learning offensive and defensive cybersecurity
techniques using tools like Metasploitable, Kali Linux, and Ubuntu.
2. Serve as an educational platform for aspiring cybersecurity professionals.
3. Create a safe, controlled environment for experimentation.
4. Enhance technical skills in network security and ethical hacking.
Scope
The scope of the Lab encompasses:
1. Virtualization and Network Setup: Utilizing VMware for the creation and management
of virtual machines, each hosting different operating systems (Metasploitable, Kali Linux,
and Ubuntu) and configured in a host-only network to ensure isolation and safety.
2. Tool Implementation and Configuration: Including Snort for intrusion detection.
3. Learning Objectives: Focusing on providing hands-on experience in identifying
vulnerabilities, conducting penetration tests, monitoring network traffic, and
implementing defensive strategies.
5. Resource Constraints: Designed to be efficient and functional within the constraints of
8GB RAM, ensuring accessibility for users with limited hardware resources. Lab Requirements
Hardware Requirements
RAM: 8 GB of RAM.
Storage: 30GB+
Operating Systems
1. Metasploitable: This will act as the victim machine. Metasploitable is intentionally
vulnerable to provide a training environment for security testing.
https://sourceforge.net/projects/metasploitable/files/latest/download
2. Kali Linux: This will be used as the attacker machine. Kali Linux comes with numerous
pre-installed penetration testing tools.
https://www.kali.org/get-kali/
3. Ubuntu: This will serve as the defense machine, where you’ll monitor the network and
implement security measures.
https://ubuntu.com/download/desktop
Software Requirements
1. Virtualization Software: VMWare.
2. NIDS&NIPS: Snort https://www.snort.org/downloads#snort3-downloads
Network
In my environment I have this network:
Kali — 192.168.152.128/24
Metasploitable — 192.168.152.129/24
Ubuntu — 192.168.152.130/24
Network Illustration
Note: My Kali did not receive its IP from virtual DHCP. If you have such problem too,
then:
> ip addr show eth0
2: eth0:
mtu 1500 qdisc noop state DOWN group default qlen
1000
link/ether 00:0c:29:14:1d:0c brd ff:ff:ff:ff:ff:ff
> sudo ip link set eth0 up
> sudo dhclient eth0
> ip addr show eth0
2: eth0:
mtu 1500 qdisc fq_codel state UP group
default qlen 1000
link/ether 00:0c:29:14:1d:0c brd ff:ff:ff:ff:ff:ff
inet 192.168.152.128/24 brd 192.168.152.255 scope global dynamic eth0 valid_lft 1659sec preferred_lft 1659sec
inet6 fe80::20c:29ff:fe14:1d0c/64 scope link proto kernel_ll
valid_lft forever preferred_lft foreverb
Setting Up Virtual Machines
Setting Up Attacker Machine — Kali
1. Download VMWare version for Kali. https://www.kali.org/get-kali/
2. Unpack
3. Open file with `.wmx` extension
Setting Up Victim Machine — Metasploitable
1. Download https://sourceforge.net/projects/metasploitable/files/latest/download
2. Unzip
3. Open file with `.wmx` extension
Setting Up Monitoring and Detection Machine — Ubuntu
1. Download iso https://ubuntu.com/download/desktop
2. Create a new Virtual Machine on VMWare
3.
4.
5. choose ubuntu’s iso
6.
7.
8.
9.
10.
(then click next again 2 times)
11.
(then again)
12. Finish
13. Power On. Installation will be opened.
14. Choose keyboard. (US)
15.
16.
17.
18. Choose Location
19.
20.
Snort
Snort is an open-source network intrusion prevention system (NIPS) and network intrusion
detection system (NIDS) that is used for detecting and preventing network intrusions. It analyzes network traffic to identify malicious activity, logs packets, and can perform realtime
traffic analysis and packet logging.
Setting Up Snort
sudo apt-get install snort -y
2. Write their interface (you can learn it simply by running `ip a`.
3. Network
4. sudo ip link set ens33 promisc on
5.
vim /etc/snort/snort.conf
6. change any to your ip range (mine is 192.168.152.0/24 )
7. Check the rules and other configurations
snort -T -i ens33 -c /etc/snort/snort.conf
You can see that snort is using prewritten rules:
You can disable them by commenting these lines out:
All rules besides $RULE_PATH/local.rules
Now Snort is setup. Next thing to do is to write rules and detect them. Writing the First rule
You can write them manually into `/etc/snort/rules/local.rules`. Or, in this
website http://snorpy.cyb3rs3c.net/. Or, ChatGPT.
Some notations here:
1. choose action type
2. choose protocol
3. source ip/port
4. destination ip/port
5. id (every snort rule should have different id)
6. revision number. Normally after each update of the rule this number increases by
one
7. Message you want to leave there
8. Resulting rule. Copy it.
alert icmp any any -> any any ( msg:"Someone is pinging"; sid:10000; rev:1; )
alert icmp any any -> $HOME_NET any ( msg:"Someone is pinging"; sid:10001; rev:1; )
Write the rules into /etc/snort/rules/local.rules file:
This command will show alerts in real time:
snort -q -l /var/log/snort/ -i ens33 -A console -c /etc/snort/snort.conf
Ping to somewhere and get the alert. You also can try to ping from Kali to
Metasploitable.
Example of its application in unauthorized ssh connections
alert tcp any any -> $HOME_NET 22 (msg:"Possible SSH Brute Force Attack"; flags:S;
threshold:type both, track by_src, count 5,
seconds 60; sid:10002; rev:1;)
Explanation of the rule components: alert tcp any any -> $HOME_NET 22: This part specifies that the rule is looking for
TCP traffic from any source IP and port, going to any IP within your defined
`HOME_NET` on port 22 (the default SSH port).
msg:”Possible SSH Brute Force Attack”: The message that will be logged when this
rule is triggered.
flags:S: This looks for packets with the SYN flag set, which are used to initiate TCP
connections.
threshold:type both, track by_src, count 5, seconds 60: This is a threshold condition.
It tracks by source IP, and the rule triggers if there are 5 connection attempts (SYN
packets) within 60 seconds.
sid:10002; rev:1: Every Snort rule needs a unique SID (Snort ID), and a revision
number.
Moreover, add this rule too. This is for checking single TCP connection:
alert tcp any any -> $HOME_NET any (msg:"TCP Connection Attempt Detected"; flags:S;
sid:10003; rev:1;)
Write it to the file and run the command.
Then, run Metasploitable and Kali.
Check the rule TCP Connection Attempt Detected:
You can see that we tried to connect to Metasploitable from Kali.
Now let’s check Possible SSH Brute Force Attack.
Drop
Let’s now write a drop rule for getting rid of unwanted FTP connection.
drop tcp any any -> $HOME_NET 21 (msg:"Possible FTP Brute Force Attack"; flags:S;
threshold:type both, track by_src, count 5, seconds 20; sid:10004; rev:1;)
Run ftp brute force with hydra in Kali: hydra -l "root" -P /usr/share/wordlists/rockyou.txt ftp://192.168.152.129
Extract IPs that get detected:
snort -q -l /var/log/snort/ -i ens33 -A console -c /etc/snort/snort.conf | grep "Possible FTP
Brute Force Attack" | awk '{print $13}' | awk -F ":" '{print $1}' >> drops.txt
Example of Snort’s Application in Detecting XSS
alert tcp any any -> [Metasploitable_IP] 80 (msg:"XSS is Detected";
flow:to_server,established; content:".
Press Enter and get:
You will get the alert:
Bonus: Visualizing logs with web interface
Write the alerts into log file.
snort -q -l /var/log/snort/ -i ens33 -A console -c /etc/snort/snort.conf >
/var/log/snort/alerts.txt
Change directory to the place where logs are stored and open python server here. cd /var/log/snort
python3 -m http.server
Write this simple nodeJS application into app.js.
// Import the Express module to create a web server
const express = require('express');
// Import the Axios module for making HTTP requests
const axios = require('axios');
// Create an instance of an Express application
const app = express();
// Define the port number on which the server will listen
const port = 3000;
// URL of the API from which log data will be fetched.
:
/log.file
const api = 'http://192.168.152.130:8000/alerts.txt'
// Define a function to convert log entries into HTML format
const getLogsHtml = (logs) => {
return logs.map(log =>
// Create an HTML structure for each log entry
`
${log.timestamp}
${log.alert}
`
).join('');
};
// Define a route for the root ('/') URL
app.get('/', async (req, res) => {
try {
// Fetch log data from the API using Axios
const response = await axios.get(api);
// Split the data by new line and create an array of log entries
const logEntries = response.data.split('\n');
// Process each log entry and split it into timestamp and alert parts
const formattedLogs = logEntries.map(entry => {
const parts = entry.split(' ');
return { timestamp: parts[0], alert: parts.slice(1).join(' ') };
});
// Convert the log entries into HTML format
const logsHtml = getLogsHtml(formattedLogs);
// HTML template for the page
const htmlTemplate = '
name="viewport" content="width=device-width, initial-scale=1.0">
Log
Viewer
Log Entries
';
// Insert the log entries HTML into the template
const finalHtml = htmlTemplate.replace('',
logsHtml);
// Send the final HTML as the response
res.send(finalHtml);
} catch (error) {
// Handle any errors by sending a 500 error response res.status(500).send('Error fetching logs');
}
});
// Start the server and listen on the specified port
app.listen(port, () => {
console.log(`Server running on http://localhost:${port}`);
});
Install required packages and run the web app:
npm i express axios
node app.js
This code demonstrates a comprehensive setup for logging, serving, and displaying log
data using a combination of Snort, Python, and Node.js. First, it configures Snort to write
alerts to a log file and then starts a Python HTTP server in the directory where these logs
are stored. Next, it outlines a Node.js application using Express and Axios to fetch and
display these logs in a web browser, with a focus on converting log entries into an HTML
format for easy viewing. Finally, it provides commands to install the necessary Node.js
packages and run the web application, completing the end-to-end process of log
management and visualization.
You will have simple real-time Dashboard to see alerts. You may customize it for getting it
more styled and add additional functionality to see other logs and actions.
Submission: You need to submit a pdf report that show the implementation of the lab in
your computer with a set of screenshots. For your deliverables, you should submit a PDF
file with screen shots of your scans. Be sure to include the descriptions and analysis of
your results. Also, include the reports from your scan. Your report should be wellorganized
and clearly written.
Include your full name and id.
联系我们
QQ:99515681
邮箱:99515681@qq.com
工作时间:8:00-21:00
微信:codinghelp
热点文章
更多
讲解 econ1202 – quantitativ...
2024-11-22
辅导 msds 490: healthcare an...
2024-11-22
讲解 civl 326 geotechnical d...
2024-11-22
辅导 term paper medicine whe...
2024-11-22
讲解 eng3004 course work辅导...
2024-11-22
讲解 ee512: stochastic proce...
2024-11-22
辅导 geog100 ol01 - fall 202...
2024-11-22
辅导 st5226: spatial statist...
2024-11-22
讲解 ece 101a engineering el...
2024-11-22
讲解 database development an...
2024-11-22
讲解 comp3134 business intel...
2024-11-22
讲解 practice exam 2, math 3...
2024-11-22
讲解 project 4: advanced opt...
2024-11-22
辅导 38003 organisational be...
2024-11-22
辅导 economic growth调试spss
2024-11-22
辅导 ee512: stochastic proce...
2024-11-22
讲解 eesb04 "principles of h...
2024-11-22
辅导 am2060 final assignment...
2024-11-22
辅导 acfim0035 fundamentals ...
2024-11-22
辅导 stat 612 (fall 2024) ho...
2024-11-22
热点标签
mktg2509
csci 2600
38170
lng302
csse3010
phas3226
77938
arch1162
engn4536/engn6536
acx5903
comp151101
phl245
cse12
comp9312
stat3016/6016
phas0038
comp2140
6qqmb312
xjco3011
rest0005
ematm0051
5qqmn219
lubs5062m
eee8155
cege0100
eap033
artd1109
mat246
etc3430
ecmm462
mis102
inft6800
ddes9903
comp6521
comp9517
comp3331/9331
comp4337
comp6008
comp9414
bu.231.790.81
man00150m
csb352h
math1041
eengm4100
isys1002
08
6057cem
mktg3504
mthm036
mtrx1701
mth3241
eeee3086
cmp-7038b
cmp-7000a
ints4010
econ2151
infs5710
fins5516
fin3309
fins5510
gsoe9340
math2007
math2036
soee5010
mark3088
infs3605
elec9714
comp2271
ma214
comp2211
infs3604
600426
sit254
acct3091
bbt405
msin0116
com107/com113
mark5826
sit120
comp9021
eco2101
eeen40700
cs253
ece3114
ecmm447
chns3000
math377
itd102
comp9444
comp(2041|9044)
econ0060
econ7230
mgt001371
ecs-323
cs6250
mgdi60012
mdia2012
comm221001
comm5000
ma1008
engl642
econ241
com333
math367
mis201
nbs-7041x
meek16104
econ2003
comm1190
mbas902
comp-1027
dpst1091
comp7315
eppd1033
m06
ee3025
msci231
bb113/bbs1063
fc709
comp3425
comp9417
econ42915
cb9101
math1102e
chme0017
fc307
mkt60104
5522usst
litr1-uc6201.200
ee1102
cosc2803
math39512
omp9727
int2067/int5051
bsb151
mgt253
fc021
babs2202
mis2002s
phya21
18-213
cege0012
mdia1002
math38032
mech5125
07
cisc102
mgx3110
cs240
11175
fin3020s
eco3420
ictten622
comp9727
cpt111
de114102d
mgm320h5s
bafi1019
math21112
efim20036
mn-3503
fins5568
110.807
bcpm000028
info6030
bma0092
bcpm0054
math20212
ce335
cs365
cenv6141
ftec5580
math2010
ec3450
comm1170
ecmt1010
csci-ua.0480-003
econ12-200
ib3960
ectb60h3f
cs247—assignment
tk3163
ics3u
ib3j80
comp20008
comp9334
eppd1063
acct2343
cct109
isys1055/3412
math350-real
math2014
eec180
stat141b
econ2101
msinm014/msing014/msing014b
fit2004
comp643
bu1002
cm2030
联系我们
- QQ: 99515681 微信:codinghelp
© 2024
www.7daixie.com
站长地图
程序辅导网!